Section 4.13 Implement

Managing Patient ConsentPrepare to manage your clients’ consent for participating in health information exchange (HIE).

Time needed: 2 hoursSuggested other tools: NA

How to Use 1. Gain an appreciation of the need for managing patient consent and access in HIE.

2. Adopt tools to obtain, manage, and supply consent when submitting and/or requesting a given person’s health information via a health information exchange organization (HIO) or other HIE process.

Patient Consent for eHIE – Electronic Health Information ExchangeAs health information exchange through electronic systems increases, patients’ trust in HIE must be ensured – and patients may be more often asked to make an “informed” consent decisions.

This consent decision concerns the sharing and accessing of the patients’ health information through an eHIE for treatment, payment and healthcare operations purposes. To achieve this, many states have adopted consent requirements for their HIO/HIE/HDIs or have otherwise modified their state statutes on health information privacy.

Federal Resources – Meaningful Consent Support Through the ONC (Office of the National Coordinator) of Health Information Technology federal HHS resources support the concept of “meaningful consent” strategies and tools which can be used by health care providers to engage and educate patients, provide background information, videos, customizable tools, and provide practical implementation tips in fostering trust in new technologies and greater understanding of options for participating in meaningful informed consent decisions:

Resource Name URLPatient Consent for Electronic Health Information Exchange – eConsent Toolkit

http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange

Meaningful Consent Overviewhttp://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/meaningful-consent-overview

Patient Education and Engagementhttp://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/patient-education-and-engagement

Technology Aspects of Capturing and Maintaining Consent Decisions

http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/patient-education-and-engagement

Health Information Privacy Law & Policyhttp://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/health-information-privacy-law-policy

Recommendations to Health IT Policy Committee: Family, Friends & Personal Representative Access – Intersection of VDT for MU2

http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PersonalRepresentativeUpdate_2014-04-08.pdf

Section 4 Implement—Managing Person Consent - 1

State and Local Patient Consent RequirementsAlthough the federal government provides excellent tools to assist HIOs and the participants who use them, consent is unique to each state. In some cases, it is even unique to a certain HIO or provider organization that may choose to enforce more stringent requirements than its state or the federal government requires.

Minnesota provides an example of tools it uses to manage consent below. For more information on Federal, State and Organizational Resources about Consent, Personal Choice, and Confidentiality visit Quick Links under the Health Information Privacy Law and Policy URL above.

Minnesota Consent Resources URLMinnesota Privacy Resources http://www.health.state.mn.us/e-health/privacy/index.htmlMinnesota Health Records Act https://www.revisor.mn.gov/statutes/?id=144.291Minnesota Standard Consent Form and Instructions for Completing http://www.health.state.mn.us/divs/hpsc/dap/consent.pdf

Q&A: Standard Consent Form to Release Health Information (MN) http://www.health.state.mn.us/e-health/privacy/standconsentqa.pdf

Upper Midwest Health Information Exchange Consortium to advance Interstate Exchange of PHR (UM HIE)

http://www.health.state.mn.us/divs/hpsc/ohit/umhie.html including Consent Matrix, Common Consent Form, Request for HIE

Minnesota Privacy & Security Resources http://www.health.state.mn.us/e-health/privacy/index.html

MN Laws & Mandates (Index)http://www.health.state.mn.us/e-health/lawsmn.html including EHR, eRX, HIE Oversight, Health Record Act Fact Sheet, Healthcare Administrative Simplification

MN State Response to HITECH ACT http://www.health.state.mn.us/e-health/lawsmn.htmlMN Health Records Access Study (2013) http://www.health.state.mn.us/e-health/hras/hras2012.html

Managing Patient Consent for Your FacilityUse the following checklist to make sure you have appropriately addressed patient consent as you begin to use HIE:

Know the HIPAA requirements surrounding consent. HIPAA permits, but does not require, providers to obtain consent for use of protected health information for treatment, payment, and health care operations.

Know the requirements for obtaining consent in your state and care setting —which may be more stringent than HIPAA.

Be sure that both HIPAA and state consent and authorization requirements are applied in a manner consistent with the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 CFR Part 2). The following are useful references pertaining to electronic health record (EHR) and HIE:

o The Confidentiality of Alcohol and Drug abuse Patient Record Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs, June 2004, Substance Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/samhsapart2-hipaacomparison2004.pdf

o HIPAA Crosswalk with 42 CFR Part 2, prepared by the Texas Department of State Health Services, http://www.dshs.state.tx.us/hipaa/privacynoticessa.shtm

o Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE), Prepared by the Legal Action Center for the Substance Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf

Section 4 Implement—Managing Person Consent - 1

Learn about the requirements for obtaining consent to participate in the HIO in your state or region in which you plan to participate.

o Opt in: requires action or affirmation by an individual for inclusion; default is exclusiono Opt out: requires action or affirmation for exclusion; default is inclusion

Collaborate with your EHR vendor to learn how you may be able to manage the person consent requirements of your HIO within your EHR.

Remember when using the Direct protocol for exchanging health information in secured email, there is no monitoring of person consent as there is within an HIO. This does not absolve you from obtaining consent, but may not require you to obtain consent as specific as would be required when participating in an HIO. Refer to Federal Meaningful Consent resources for additional information.

Because an HIO is considered an intermediary—and a HIPAA business associate of the participating covered entities—the relationship between a behavioral health provider and the HIO is somewhat different than when using Direct email only between two behavioral health providers or the provider and patient. Furthermore, most HIOs collect and store at least some health information. This may be used to aggregate data or simply to make it easier to facilitate the exchange of data. This intermediary data storage increases concerns about potential misuse of the data—hence the stricter requirements for consent in an HIO.

Note: the requirements for managing your client’s consent should be reviewed with your legal council.

Copyright © 2014 Stratis Health. Updated 04-17-14

Section 4 Implement—Managing Person Consent - 1